State elections officials fret over cybersecurity threats

Deputy Attorney General Rod Rosenstein announces on Friday that a grand jury has charged 13 Russian nationals and several Russian entities with interfering with the 2016 U.S. elections. (Jacquelyn Martin/AP)

State elections officials said Saturday that they want more information from federal officials to ensure they are protected from cybersecurity threats in light of evidence that foreign operatives plan to try to interfere in the midterm elections.

At a conference of state secretaries of state in Washington, several officials said the government was slow to share information about specific threats faced by states during the 2016 election. According to the Department of Homeland Security, Russian government hackers tried to gain access to voter registration files or public election sites in 21 states.

Although the hackers are not believed to have manipulated or removed data from state systems, experts worry that the attackers might be more successful this year. And state officials say reticence on the part of Homeland Security to share sensitive information about the incidents could hamper efforts to prepare for the midterms.

The frustrations were evident despite the fact that federal intelligence officials a day earlier had for the first time given a classified briefing to state officials about potential foreign threats on elections.

“We got some new information that was interesting. Did it change the course of what we were going to do or not do [in 2018]? No,” said Michele Reagan, Arizona secretary of state.

State officials have been scrambling to address vulnerabilities in their systems, particularly since the fall, when the Department of Homeland Security disclosed the attempts on the 21 states. Though it is not believed there were further attacks, experts say Russian operatives may have been laying the groundwork for a more aggressive effort in 2018.

Hackers “got close enough to the line” in 2016 and it “could be different or worse the next time around,” said Bob Kolasky, a senior DHS official who oversees infrastructure protection.

At the meeting, Kolasky and other DHS officials tried to reassure states that they are trying to be proactive. The agency has prioritized security clearances for secretaries of state aimed at making it easier to pass on critical information to states.

State elections officials and cybersecurity experts are pressuring Congress to act, asking lawmakers to appropriate all the federal funds approved in 2002 for election security. They also want lawmakers to pass legislation that would enact sweeping changes to strengthen U.S. election cybersecurity.

With shrinking state budgets and no new federal funds in sight, some states are years behind in replacing decades-old voting machines, equipping election employees with the latest technology, or auditing elections to make sure ballots were counted accurately.

Efforts to bolster security are hampered by the patchwork nature of election systems in the states, which are in charge of administering their own elections.

Moreover, some states have hundreds of local election agencies, each with varying levels of technical expertise. That makes it difficult to add security measures statewide.

For example, in Wisconsin, there are more than 1,800 municipalities and about 3,000 employees who help run elections.

The state encrypted its database as a response to threats in 2016 and is looking to add what is called multistep verification. This would require employees to enter a unique code sent to a second device, such as a cellphone, to log in. But not all election employees have work-issued cellphones or high-speed Internet.

“If a local clerk unwittingly gives up their password to the voter registration system, we won’t know that we have an unauthorized party that has entered the system,” said Michael Haas, Wisconsin’s state election administrator.

It’s not just government systems that states worry about. Most states rely on a contracted company for technical expertise that states can’t afford to do on their own. Yet this could lead to vulnerabilities: Last year, a data breach on a third-party voting machine company exposed nearly 2 million Chicago voter records.

An attack on one vendor could affect many elections, because some vendors serve several states. And smaller vendors may not have enough resources to defend themselves gainst sophisticated attacks, said researchers from the Harvard Kennedy School’s Belfer Center who study election security.

Another important way to secure elections, experts say, is to make sure voting machines are upgraded to retain paper backup copies of ballots. This allows states to review election results to make sure ballots were counted accurately. But this is expensive, and states vary widely in how much of this technology they have adopted. Five states still rely on a digital-only recording system.

[Opinion: The best safeguard against election hacking]

As they prepare for elections in 2018 and beyond, state and federal officials have formal systems to regularly share information on the latest security threats.

That wasn’t always the case. In 2016, state election officials expressed frustration that DHS did not share enough information that would have allowed them to thwart attempted attacks in real time. And it took nearly a year for DHS to formally notify every state whether they were targeted.

Now, DHS is providing security clearances to state election chiefs so they can share classified information. As of last week, 38 state officials submitted their information to receive a security clearance and were in some stage of the approval process.

Some states say they are happy with the improved communication.

“What’s happening now in 2018 is exactly the opposite” of 2016, said Judd Choate, chairman of the National Association of State Election Directors and Colorado election director. “They’re telling us about every single thing that pops up that relates to election infrastructure, and they’re constantly in contact about the various ways we can protect our systems.”